Tactical Advice

Securing Virtual Machines in the Data Center

Address the challenges of VM security with these tips for Hyper-V.
This story appears in the June 2010 issue of BizTech Magazine.

According to recent research by Gartner, 60 percent of virtual servers are less secure than their physical counterparts. Although many methods for securing physical servers also apply to virtualized workloads, additional steps need to be taken to properly secure virtual infrastructures.

Securing the Host Operating System

Although third-party code isn’t allowed to run inside Microsoft’s hypervisor, the host operating system (or parent partition) must be secured to prevent malicious code from being executed and monitored so that VMs don’t consume all the host’s resources. Hyper-V contains basic controls to limit the amount of physical memory and CPU utilization of each VM.

To minimize the attack surface as much as possible, the host OS should run Windows Server 2008 R2 Server Core with the Hyper-V role installed, or the standalone Hyper-V Server 2008 R2 product.

To isolate network traffic between the host OS and VMs, a minimum of two physical network adapters are required: one for the host machine and another for VMs. Hyper-V’s Virtual Network Manager can be used to create virtual switches to which VMs are connected. The choice of virtual network has an impact on the VM and host OS security:

  • External virtual networks are connected to a physical network adapter installed on the host OS. VMs connected to external virtual networks can communicate with any networks that are connected to the physical network adapter.
  • Internalvirtual networks allow VMs to communicate only with each other and the host OS.
  • Privatevirtual networks are not connected to a physical network adapter on the host OS, so VMs can communicate only with other VMs installed on the same physical machine. If you isolate virtual and physical networks, consider installing a Network Intrusion Detection System (NIDS) on your virtual network segments.

To harden the standard security settings of the host OS, you can apply the Specialized Security Limited Functionality (SSLF) baseline settings that are provided as an .inf file in the Microsoft Security Compliance Manager, which is available as a free download from Microsoft. The settings can be imported into local policy or a Group Policy Object for distribution to multiple computers.

After loading the SSLF baseline settings into local policy or a Group Policy Object, you’ll need to import an additional .inf file to grant the Virtual Machines group the right to create a symbolic link. Full instructions on how to import security settings into Group Policy Objects are included with the Security Compliance Manager download. Be sure to test policy settings in a lab before applying them in a production environment.

Don’t forget to update the host OS just as you would any other server. You should also separate VM and host OS administrative functions so that only a select group of sysadmins has access to the Hyper-V server. Once the host is configured, you can use the Hyper-V Best Practices Analyzer from Microsoft, which has been updated to support Windows Server 2008 R2, to ensure your server is set up correctly.

Protecting Virtual Machine Resources

Separate logical disk volumes should be used to isolate each VM’s resources. Though BitLocker is not supported inside VMs, you should enable it on the host OS to protect system files and logical volumes that host VM resources. All the configuration data for VMs and associated snapshots is stored in the %programdata%\Microsoft\Windows\Hyper-V\ folder by default. The local System Account and Administrators group have Full Control over this folder, and the Virtual Machines group has a more limited subset of permissions.

The Virtual Hard Disk (VHD) storage folder, which defaults to C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks, holds the basic disk images for each VM. Rather than using the default paths provided when you run the New Virtual Machine Wizard, you can create your own directory structure to hold VM resources — including configuration data — and assign permissions to different groups of administrators as necessary, along with the default permissions that must be set on these folders. Windows auditing can also be configured to monitor access to VM resources.

Make sure you exclude VM resources from antivirus scanning engines on the host operating system.

Updating VMs Offline

If you need to manage more than a handful of VMs, use the System Center Virtual Machine Manager. The SCVMM includes the Offline Virtual Machine Servicing Tool, which can be used to service powered-off VMs that are stored in the SCVMM library. An isolated network is used to update VMs using PowerShell scripts in conjunction with Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM). Virtual Machine Manager works with both Hyper-V and VMware virtual machines, enables fast provision of new VMs, migrates multiple physical servers to VMs and provides centralized management.

The Future of VM Security

Microsoft Research is working on a project called Bunker-V, which is intended to eliminate legacy devices that are usually required to boot VMs, reducing the attack surface. VMware offers VMsafe Application Programming Interface in vSphere 4, which allows third-parties to develop security solutions that can monitor and protect the hypervisor layer and inspect network traffic that passes through virtual switches.

Russell Smith is an independent consultant based in the U.K. who specializes in Microsoft systems management. 
Sign up for our e-newsletter

About the Author

Russell Smith

Russell Smith

Microsoft Technology Best Practices

Russell is a technology consultant and trainer specializing in management and security of Microsoft server and client technologies. A Microsoft Certified Systems Engineer with more than 10 years of experience, Russell’s projects have included everything from deploying Small Business Server to developing security practices on large-scale United Kingdom government IT projects. Russell is also author of Least Privilege Security for Windows 7, Vista and XP published by Packt.


Heartbleed: What Should Your... |
One of the biggest security vulnerabilities has almost every user and every industry...
Why Businesses Need a Next-G... |
Devices investigate patterns that could indicate malicious activity.
Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....


The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Businesses Must Step Careful... |
Slow and steady wins the race as businesses migrate IT operations to service providers,...
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...


Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Mobility: A Foundational Pie... |
Other technologies rely on mobile computing, which has the power to change lives, Lextech...
Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.

Hardware & Software

Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....
New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.